Background
PwC Threat Intelligence recently reported on BPFDoor, a passive network implant for Linux targeting telecommunications providers. The activity was attributed to the Chinese nexus threat actor group Red Menshen.
What is BPFDoor?
BPFDoor is a stealthy surveillance tool used by the threat actor group known as Red Menshen. It targets multiple Linux-based systems, including Solaris SPARC. BPFDoor has been in the wild for at least five years, is highly evasive, and is not detected by most endpoint protection vendors.
According to security researcher Kevin Beaumont, threat actors can use BPFDoor to backdoor a system for remote code execution without opening new firewall rules or network ports. A web app existing on a particular port, such as port 443, can listen and react on the existing port, and the implant can be reached over the port. This is possible due to the use of a BPF packet filter. Threat actors leverage a tool that works over internal and internet networks, allowing them to communicate with the implants using a password. PwC noted the threat actors used virtual private servers to send commands to BPFDoor victims.
Beaumont researched the malware throughout 2021 and found it affected systems in multiple countries including the US, South Korea, Hong Kong, Turkey, India, Vietnam, and Myanmar. BPFDoor was discovered in systems across multiple verticals including government, postal and logistics, and education. Beaumont stated that BPFDoor appears to be used for surveillance purposes.
Who is Red Menshen?
Red Menshen, also known as Red Dev 18, is a Chinese nexus threat actor group active since at least 2021. Red Menshen’s targets include telecommunications entities in the Middle East and Asia. Other verticals the group targets include government, education, and logistics. Known TTPs include BPFDoor, Mangzamel, Mimikatz, Metasploit, and custom variants of Gh0st. Red Menshen also uses VPSs hosted at a well-known service provider and VPNs leveraging compromised routers located in Taiwan. The threat actors appear to be active on a regular schedule, operating Monday through Friday from the hours of 01:00 to 10:00 UTC.
IOCs
PolySwarm has multiple samples of BPFDoor.
96e906128095dead57fdc9ce8688bb889166b67c9a1b8fdb93d7cff7f3836bb9
76bf736b25d5c9aaf6a84edd4e615796fffc338a893b49c120c0b4941ce37925
599ae527f10ddb4625687748b7d3734ee51673b664f2e5d0346e64f85e185683
3a1b174f0c19c28f71e1babde01982c56d38d3672ea14d47c35ae3062e49b155
fd1b20ee5bd429046d3c04e9c675c41e9095bea70e0329bd32d7edd17ebaf68a
5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3
5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9
97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc
c80bd1c4a796b4d3944a097e96f384c85687daeedcdcf05cc885c8c9b279b09c
c796fc66b655f6107eacbe78a37f0e8a2926f01fecebd9e68a66f0e261f91276
144526d30ae747982079d5d340d1ff116a7963aba2e3ed589e7ebc297ba0c1b3
ac06771774538f33b0e95a92ae1a3e8aaf27e188b51700a03c14ca097af09cac
bd353a28886815f43fe71c561a027fdeff5cd83e17e2055c0e52bea344ae51d3
591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78
You can use the following CLI command to search for all BPFDoor samples in our portal:
$ polyswarm link list -f BPFDoor
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports